Apple Pay – Great New Feature or Future Nightmare?

Apple Plays

Apple introduced the iPhone 6’s this week and spent time talking about the size, display and CPU speed but it also spent an exorbitant amount of time, marketing dollars and effort to push a new feature most people could really care less about, Apple Pay.

What is Apple Pay?

Apple Pay is a payment service on the iPhone that stores and transmits your credit card information. Let that sink in before moving on.

Apple has not released much in the way of details yet on exactly how Apple Pay works to the public and the media has several different guesses of how it thinks the system will work. Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, others including Apple say your card details will be stored on the phone. The Washington Post writer assures his readers that by using the iPhone finger print reader no one else will be able to make purchases with your phone. He doesn’t bother to mention how the fingerprint reader was also hacked, in less than two days after it was released. And that virtual card numbers are what will be sent to the merchant from your phone instead of your actual card number.

Using the docs from stripe.com, a third party offering an API to allow merchants to use Apple Pay without needing to do all the integration on their own it would seem that credit card information is stored on your iPhone and depending on the merchant you are using you will be sending them your card number, CVC code, name, expiration date and billing address, all information that they can choose to store for later use if they decide they want to. Stripe.com’s documentation includes frightening phrases including “Make sure any communication with your server is SSL secured to prevent eavesdropping.” Shouldn’t Apple Pay force SSL communication?

This is all speculation at this point but I think Stripe.com likely has better information than the Washington Post and Gartner at this point.

However, I couldn’t leave out this little gem out from Makeuseof.com as they stay in lock step with the party line claiming anyone who doesn’t fully embrace Apples latest feature as the greatest change to the monetary system since the advent of coins is a lunatic alien abductee.

“Those of you reaching for your tinfoil hats will be relieved to hear the usual security and privacy spiel from such an announcement involving sensitive financial data. Merchants cannot see card numbers, Apple cannot tell what you are buying, and if you lose your phone, you can simply suspend the service using Find My iPhone.”

All but the last part about using Find My iPhone is incorrect, but it doesn’t matter because they don’t address the real security concerns.

Update: According to Nerd Wallet, Apple will get 0.15% of each transaction paid to them by the bank issuing the credit card. This new additional fee on top of the regular fees paid per transaction for the convenience of using a card instead of cash will unwittingly be paid for by consumer. When you think about the concept of paying a company to lend you your own money with interest and fees added on to it you may begin to understand that using cash and living within a realistic budget is better than using Apple or any credit card company.

The Real Point Please?

Here is the main problem with what Gartner, WAPO all of the internet sites claiming there is nothing to worry about. They all talk about how the transaction is secure, how the merchant doesn’t actually get your card details, how a random number or one time token is going to keep your purchase secure. Great. But what about the phone? How secure is the device where you are storing the cards? With all the information needed to use each one of your cards. I don’t recall Apple talking about how secure their phone and new OS are, none of the websites fighting for your precious monetized clicks talk about how secure the platform storing all your data is. Instead they make claims to ensure you that Apple has it all figured out, after all it’s Apple! They never have security problems, just ask Kate Upton, Kirsten Dunst, Jennifer Lawrence or Jonathan Zdziarski. Jonathan is the researcher that presented a paper recently on how every iOS device is running hidden and undocumented services that allow access to phone data even the ability to bypass the iTunes backups encryption all without needing physical access to your phone. Which it doesn’t take much thought to figure out exactly how someone could get at all the photos of all celebrities, your spouse or your own photos stored in iCloud.

When Target and the other retailers had their POS systems hacked, they did not attack the individual payments, they wanted the card data so they could sell the cards on the market and then those who bought the cards would use them to make fraudulent purchases, clean out accounts or worse. Talking about how a single transaction is secure is only interesting if you are a merchant, bank, card processing company or Apple. The consumer loses nothing if a retailer or bank doesn’t secure their transaction because they are covered. But if the consumer has their savings account drained to $0, well they are just out all of their savings. The banks, card processor and retailer will happily take that stolen money.

One Last Thing

Apple Pay uses NFC to transmit your purchase details. In 2012, 2013 and 2014 there have been demonstrations on how to hack NFC to take advantage of payment systems to steal data, send payments and transfer funds. It’s unfortunate that Apple and the media won’t spend the 30 seconds it takes to Google NFC credit card hack and watch the videos, read the conference notes and articles on how insecure NFC really is.

Credit Card stealing Apps from NFC cards – Latest News …
www.secure-commerce.org/…/credit-card-stealing-apps-from-nfc-cards/
Apr 29, 2013 – This report in Mashable and CBS reports that there’s app’s now available to read and hack the NFC data on credit cards with the purpose of …

The Perfect Hack for Enabling NFC Credit Card Payments …
www.businessinsider.com/the-perfect-hack-for-enabling-…
Business Insider
Aug 3, 2011 – Remember the good ol’ days when you actually had to swipe your credit or debit card to make a pay…